05-13-2010 10:39 AM - edited 03-11-2019 10:45 AM
We have a site to site VPN between an 800 series router and a VPN concentrator. I want to implement the Zone-based firewall on on the router.
On the 800 series router, once I apply the Zone on the outside interface which is the "Dialer 1" VPN connection is terminated. Based on the configuration below, what am I missing?
ip access-list extended county-out
permit ip any 192.168.60.0 0.0.0.255
ip access-list extended county-in
permit ip 192.168.60.0 0.0.0.255 any
ip access-list extended ICMPReply
permit icmp any any host-unreachable
permit icmp any any port-unreachable
permit icmp any any ttl-exceeded
permit icmp any any packet-too-big
ip access-list extended esp-traffic
permit esp any any
class-map type inspect match-any IPSec
match protocol isakmp
match protocol ipsec-msft
match access-group name esp-traffic
class-map type inspect match-all ICMPReply
match access-group name ICMPReply
class-map type inspect match-any in-out
match access-group name county-in
match protocol icmp
match protocol dns
match protocol http
match protocol https
match protocol ftp
class-map type inspect match-any out-in
match access-group name county-out
policy-map type inspect OutToSelf
description Permitted traffic from Internet to Router
class type inspect ICMPReply
pass
class type inspect IPSec
pass
class class-default
drop log
policy-map type inspect access-county
class type inspect in-out
inspect
class class-default
drop
policy-map type inspect county-out
class type inspect out-in
inspect
zone security in-zone
zone security out-zone
zone-pair security OutToSelf source out-zone destination self
service-policy type inspect OutToSelf
zone-pair security in-out source in-zone destination out-zone
service-policy type inspect access-county
zone-pair security county-in source out-zone destination in-zone
service-policy type inspect county-out
05-13-2010 12:21 PM
I would try to configure a zone from the self to the out zone. permit all IP... If not just get the ... IP INSPECT LOG DROP-PKT
this will tell us why the traffic is being dropped. If you attach a diagram of the topology that will help us to understand why is't not working. Are you using NAT for any of the endpoints.?
05-13-2010 01:01 PM
Thanks for the reply! It does work when I modify the self outzone with IP any any. However, I want to be more specific if possible. I am using NAT on each endpoint as well. Unfortunately I am not onsite, I have the configuration unsaved and I am having the router reload automatically to go back to it's original configuration. I will try the "ip inspect log drop-pkt"
I'll try to illustrate a quick topology:
192.168.60.x/24------871 router<-------Internet------->VPN Concentator------172.16.16.0/20
05-13-2010 01:15 PM
Ok But you are not NATing the endpoint. they are using the public IPs right?
05-13-2010 01:31 PM
Yes, they are using public IP's
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide